[Freeipa-devel] GSSAPI/krb5 troubles after dirsrv restart
Rob Crittenden
rcritten at redhat.com
Thu Oct 9 14:21:22 UTC 2008
Thomas Sailer wrote:
> On Thu, 2008-10-09 at 10:04 -0400, Rob Crittenden wrote:
>
>> Check the owner and/or permissions of /etc/dirsrv/ds.keytab.
>>
>> It should be owned by the user that FDS runs as and be mode 0600. Mine
>> looks like:
>>
>> -rw------- 1 dirsrv dirsrv 436 2008-09-17 23:03 /etc/dirsrv/ds.keytab
>
> Mine does too:
>
> # ls -l /etc/dirsrv/ds.keytab
> -rw------- 1 dirsrv dirsrv 484 2008-02-05 12:30 /etc/dirsrv/ds.keytab
>
> Thanks,
> Tom
Hmm, ok. It definitely appears to be some file or directory permissions
issue. Does the FDS error log have anything interesting in it?
A brute-force way to find the answer is to start FDS with strace,
something like:
# /etc/init.d/dirsrv stop
# strace -o /tmp/out -fF /etc/init.d/dirsrv start
[ in another session try your search ]
[ in another root session ]
# /etc/init.d/dirsrv stop
Look for EACCES in /tmp/out. Don't be too alarmed about some failures.
Kerberos, for example, tries to open /etc/krb5.conf as writable for some
reason, but falls back to read-only if that fails.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20081009/1fa6cc13/attachment.bin>
More information about the Freeipa-devel
mailing list